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Abstract. The best known unconditional deterministic complexity bound 
for computing the prime factorization of an integer N is 0(Mi nt (A fl / 4 log N)). 
where M; nt (fc) denotes the cost of multiplying fe-bit integers. This result is due 
to Bostan-Gaudry-Schost, following the Pollard-Strassen approach. We show 
that this bound can be improved by a factor of v'log log N. 

1. Introduction 

In this paper we consider unconditional deterministic complexity bounds for 
computing the prime factorization of a positive integer N. Complexity refers to bit 
complexity, in the sense of the multitape Turing machine model Pap94|. 

The best known bounds for this problem are all of the shape 0(N 1 / 4+E ). The 
simplest algorithm achieving such a bound is due to Strassen |Str77j . Its complexity 
is analyzed in BGS07 and shown to be 

0^(^/4 log AO log TV), 

where Mj nt (fc) denotes the cost of multiplying fc-bit integers. (The best known 
bound for M int (fc) is M int (fc) = 0(k log k 2 log * k ) where log* k denotes the iterated 
logarithm [Fur09] .) Bostan, Gaudry and Schost [BGS07] improved this further to 

0(M int (A/ 1 / 4 logiV)). 

Our main result is the following refinement. 

Theorem 1. There exists a deterministic algorithm that computes the prime fac- 
torization of a positive integer N in 

'N 1 / 4 log AT 



O 



lint 



yloglogTV 



bit operations. 



To explain the main idea of our algorithm, we recall Strassen's approach. Con- 
sider the simplest situation where N is a product of two distinct primes, say N = pq, 
p < q. Let K = [A^ 1 / 2 ] . Since p < K and q > K we have gcd(i< ! mod N, N) = p, 
so it suffices to compute K\ mod N . To simplify further, assume that K = L 2 for 
some integer L. Strassen observes that 

Kl = f(0)f(L)f(2L)---f((L-l)L) 

where 

f{x) - (x + l)(x + 2)---(x + L). 
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He computes f(x) in (Z/NZ)[x] using a product tree, and then evaluates f(x) 
at 0,L, ...,(L — 1)L using a fast multipoint evaluation algorithm. The overall 
complexity is quasilinear in L = 0(N 1 ^ 4 ). The algorithm of |BGS07] evaluates the 
same product, but uses a more involved evaluation scheme that saves a factor of 
O(logL). 

Our key observation is that Kl has many terms that do not contribute any useful 
information. For example, it is easy to extract factors of 2 from N. Once this is 
done, we may assume N is odd, so any remaining factors must be odd. Thus we 
should replace K ! by a product of the form 1 x 3 x 5 x • • -xK' . This immediately saves 
a factor of v2 in Strassen's algorithm (or in the Bostan-Gaudry-Schost algorithm). 

More generally, we may select a bound B and remove from N all prime factors 
bounded by B, and then replace the factorial by a generalized factorial that omits 
all integers divisible by any of these primes. This is a similar idea to the 'factorial 
sieving' performed in |CDP97j . Our contribution is to show that the algorithm of 
BGS07] can be modified to handle such generalized factorials. Choosing a larger B 
leads to greater savings, but also imposes a cost due to the more complex pattern of 
integers removed from the generalized factorial. Optimizing the choice of B leads 
to the bound given in Theorem [TJ 

All of the factorization algorithms mentioned above (including ours) are of the- 
oretical interest only, and none of them are remotely practical. If we allow proba- 
bilistic algorithms, or complexity arguments that depend on unproved hypotheses 
such as the Riemann Hypothesis, then much better bounds can be achieved. For 
this we refer the reader to the excellent survey |CP05j . 

2. Fast polynomial evaluation on arithmetic progressions 

In this section R denotes a ring, in which we can multiply and sum elements in m 
bit operations, and for which polynomials in R[x] of degree d can be multiplied in 
M(d) bit operations. We will only provide high-level descriptions of all algorithms 
and skip the details of their corresponding Turing machine implementations. We 
assume that M(d) behaves reasonably, in particular that M(dd') > dM(d'), and so 
M(d) > dm. In the next section we will specialize to the case R = Z/NZ. 

We will often use the following standard result without comment. For a proof 
see |BGS07l Lemma 1]. 

Lemma 2. Suppose that r\ , . . . , r& are invertible in R. Given r\ , . . . , t& and [t\ . . . T&) 
we may compute rj" , . . . , r7 in 0(dm) bit operations. 

Our basic tool will be [BGS071 Theorem 5] , which is given as Proposition 0] 
below. To state it, we introduce the following notation. 

Definition 3. Let a, ft € R and d > 1. We say that h(a,/3, d) is satisfied if the 
elements 

(3, 2,...,d, (a-d(3),(a-(d-l)P),...,(a + df3) 
are invertible in R, and we put 

d(a, (3, d) = @2 ■ ■ ■ d(a - dj3){a -(d- l)/3) • • • (a + d0). 
Thus h(a, (3, d) holds if and only if d(a, (3, d) is invertible. 
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Proposition 4. Let a, /3 £ R and d > 1. Assume that h(a,f3,d) holds, and that 
the inverse of d(a, (3,d) is known. Let F be a polynomial in R[x] of degree at most 
d. Given 

F(0),F(f3),...,F(df3), 

we may compute 

F(a),F(a + P),...,F(a + d0) 
in 0(M(d)) bit operations. 

Proof. See [BGS071 Theorem 5]; the proof is based on the Lagrange interpolation 
formula. We emphasize that the coefficients of F(x) are not part of the input. □ 

Let H <= R[x] be a polynomial of degree p > 1. In Section[3]we will be interested 
in evaluating the polynomial 

H k (x) = H(x)H(x + 1) • • • H(x + k - 1) 

on a certain arithmetic progression. Theorem 8 of [BGS07 gives an efficient solution 
to this problem for p = 1. The following two results generalize this to the case p > 1. 

Proposition 5. Let f3 6 R and k > 1. Assume that 

h(k,P,kp) and h((fcp + l)AAM 
6o£/i hold and that the inverses of 

d(k,/3,kp) and d((kp + l)/3,f3, hp) 

are known. Given 

H k (0),H k (p),...,H k (kpp), 

we may compute 

H 2k (0),H 2k (p),...,H 2k (2kpl3) 
in 0(M(fcp)) bit operations. 

Proof. We start by applying Proposition 2] with a — k and d = kp to the known 
values of H k (x) to obtain 

H k {k),H k (0 + k),...,H k (kpf3 + k) 

in 0(M(kp)) bit operations. Since 

H 2k (x) = H k (x)H k (x + k) 

we may multiply these to obtain 

H 2k (0),H 2k ((3),...,H 2k (kpl3) 

in (kp+ l)m = 0(M(kp)) bit operations. 

We now apply Proposition U to the original values again, this time with a = 
(kp + X)j3, to obtain 

H k ((kp + l)f3),H k {{kp + 2)0), H k ((2kp + l)/3). 

A final application of Proposition |4] with a = k yields 

H k ((kp + l)p + k),H k ((kp + 2)P + k),..., H k ((2kp + 1)13 + k). 

As above we can multiply these to obtain 

H 2k ((kp + l)p),H 2k ((kp + 2)f3), H 2k ((2kp + l)/3). 

Discarding the last value, we have the desired output. The total complexity is 
0(M(kp)) bit operations. □ 



4 



EDGAR COSTA AND DAVID HARVEY 



In Proposition [7j we will apply the previous result recursively. The following 
definition consolidates the required invertibility conditions. 

Definition 6. Letr>l. We say that H(2 r , [3, p) holds if h(2\ [3 , 2 l p) andh((2 i p + 
l)/3, /3, 2 l p) hold for each < i < r. We write 

r-i 

D(2 r , (3, p) = H d(2*, p, 2»d((2> + 1)(3 : (3, 2>). 

i=0 

As before, H(2 r , /3, p) holds if and only if D(2 r , j3, p) is invertible. 

Proposition 7. Assume that H(2 r ,/3,p) ZioZds and i/iai i/ie inverse of D(2 r , /3, p) 
is known. Let k — 2 r . We may compute 

H k (0),H k (p),...,H k (kp/3) 

in 0(M(fcp) + p 2 m) bit operations. 

Proof. We first compute H{x) at x = 0,f3, . . . ,pf3. This can be done in 0(p 2 m) 
bit operations. (This can be improved to 0(M(p) logp) using standard multipoint 
evaluation techniques, but we will not use this.) 

We then apply Proposition [5] successively for k = 1, 2, 4, . . . , 2 r_1 . The cost at 
the ith step is (9(M(2 l p)) bit operations. At the ith step, we need to supply the 
inverses of 

d(2*,/3,2>) and d((2> + (3, Tp). 

Computing each product can be done in 0(2 l pm) bit operations, and with the 
inverse of D(2 r ,/3,p) we can compute the inverses sought; all this can be done in 
O(kpm) bit operations. The total complexity is 

0{p 2 m + kpm + M(p) + M(2p) + • • • + M(2 r - 1 p)) = 0(p 2 m + M(fcp)) 

bit operations. □ 

3. Application to integer factorization 

We now specialize to R — Z/NZ. Elements of R are represented in the standard 
way using bitstrings of length 0(log N). We have m — 0(M int (log A)), and M(d) = 
0(M int (dlog(dA))) us ing Kronecker substitution |Sch82j . If d = O(N), which for 
us will always be the case, this simplifies to M(d) = 0(M; n t(dlog A)). The inverse 
of an element of R, if it exists, may be computed in time 0(Mj nt (log A) log log A) 
using a fast extended GCD algorithm JM6108 . 

Let B > 2 be a parameter; an optimal value for B will be chosen later on. Let 

q= n p- 

p<B 
p prime 

We will apply the results of the previous section to the polynomial 

Q 

h{x)= [] (Q*+i)> 

i=i 
(j,Q)=i 

which has degree p = cj>(Q) = H p<B (p - 1). 
We start with an auxiliary result. 
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Lemma 8. Let /o, ■ • • , fk-i € Z/NZ. Then we can decide if all fi are invertible 
modulo N and, if not, find a noninvertible fi in 

0(k Mi n t (log TV) + logfc M int (logA0 log log N) 

bit operations. 

Proof. See [BGS071 Lemma 12]. The idea is to apply the GCD to the subproduct 
tree formed by the fi. □ 

The core of our algorithm comes next. 

Proposition 9. Let r > and b — 4 r pQ. Assume that b < N and that (N, Q) = 1. 
We can find a prime divisor I of N such that I < b, or prove that no such divisor 
exists, in 

O (M int (2 r plogiV) + (Q 2 +log(2»)M int (logiV)loglogiV) 
bit operations. 

Proof. We first list the integers 1 < j < Q such that (J, Q) = 1, by computing (j, Q) 
for each candidate j. Noting that Q < N, this uses 0(Q M int (logiV) log log TV) bit 
operations. Using this list, we compute the coefficients of H(x); the naive algorithm 
for this uses 0(p 2 Mi nt (log N)) bit operations. 

In the algorithm described below, we will test various elements of Z/NZ for 
invertibility. If at any stage we encounter a noninvertible x with x < b, then we 
are done. Indeed, to find a suitable prime divisor of N it suffices to perform trial 
division of x by the integers 2 < I < \fb with (£, Q) = 1. The number of such £ is 
at most p\Vb/Q~\ < p(Vb/Q + 1) = 2 r p^p/Q + p = 0(2», so the cost of these 
trial divisions is 0(2>M int (logiV)) = 0(M lnt (2 r plog TV)). 

We would like to apply Proposition [7] to H(x) with k = (3 = 2 r . We must first 
verify that H(2 r ,2 r ,p) is satisfied. This is equivalent to invertibility of 

2,3,...,(2>+l) 

and 

(2 ,; - 2>2 r ), (2 l - (2*p - l)2 r ), . . . , (2 ,; + 2>2 r ) 

for each < i < r — 1 . These integers are all bounded (in absolute value) by b, and 
there are 0(2 r p) of them. By Lemma[8]we may prove they are invertible, or find a 
noninvertible one, in 

0(2VM int (logTV)+log(2V)M int (logiV) log log N) 

bit operations. Computing D(2 r ,2 r ,p) requires 0(2 r pM int (log N)) bit operations, 
and finding its inverse has negligible cost. Proposition [7] then computes 

H k (0),H k (k),...,H k ((kp-l)k) 

using 

0(M int (2>logiV) + P 2 M int (logiV)) 

bit operations. 

By construction we have 

kp—l kp—1 kQ b 

(i) n^ fc )=n n &Q+j)= n 

i=0 i=0 j=l j = l 

(j.O)=i (j,Q)=i 
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If any of the Hk(ik) are noninvcrtible, by Lemma |8] we may find one in 

0(2 r pM int (logiV)+log(2 r p)M int (logiV) log log N) 

bit operations. In this case we may find a noninvertible integer bounded by b within 
the same time bound, since H k (ik) is itself a product of 0(kp) integers bounded 
by b. Otherwise we have proved that ([1} is invertible, and we are finished. □ 

Proof of Theorem^ We will take B = ± logiV. By the prime number theorem we 
have J2 p<x logp = x + o(x) |MV07[ Theorem 6.9], so 

Q=l[p = 0(7V(i+o(D)/ii) = 0(N^ W ). 

p<B 

We may remove any factors of N bounded by B with negligble cost, so we may 
assume that (N, Q) = 1. 

We now apply Proposition [9j starting with b = pQ (r = 0). If we find a prime 
divisor I < b, we remove it from N and repeat. Otherwise we quadruple b (increment 
r) and repeat. We continue until we reach b > VlV ; the last iteration has r — ro 
where 

r = riog 4 (ViV/pQ)l. 

To analyze the overall complexity, observe that when we apply the algorithm for 
a given 6, all prime divisors t < 6/4 have already been found and removed. Since 
their product is bounded by N, the number of runs of the algorithm for a given b 
is bounded by 0(log N/ log 6). Therefore the complexity is 

C r ° 1 N \ 
E log(4VQ) (Mint (2 ^ log7V) + (<3 2 + log(2 r p)) M in t (log iV) log log iV") J . 

Since Q 2 = 0(N 1 ^ 5 ) and r = O(logiV), the second term is bounded by 
0{N 1 / b log 3+e N). To estimate the first term, we split the sum into r < 
and r > r /2. For the terms with r < r /2, we have 2 r = 0(iV 1 / 8 /(pQ) 1 / 4 ) = 
0(^1/8/^/2) so 2> = 0{N l l*p l l 2 ) = 0(^1/8+1/20) = o(N^ 5 ); thus the sum 
is bounded by (log N) 2 (N 1 / 5 log N) 1+E . So far these contributions are negligible. 
The main contribution comes from the terms r > r$/2. For these r we have 
4TpQ > N 1 / 4 , so log7V/log(4 r pQ) = O(l), and the sum is bounded by 

£ O(M int (2>logA0) = 0(M int (2 r VlogiV)) 

ro/2<r<r 

= 0(M int (N 1 ^( P /Q) 1 / 2 \ogN)). 
But by Mertens' theorem |MV071 Theorem 2.7], 

® = jk = ° v°zbj = ° G°g lo g^ 

and the desired result follows. □ 
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